I am currently using netcat (but it could be telnet, sbd, etc) to do some banner grabbing. So far, I only find example for HTTP and FTP servers... But what about other services? I poked around and found some more ways of getting information with netcat:

HTTP

Code:

nc -v 192.168.1.10 80 HEAD / HTTP/1.0 [ENTER] [ENTER]

- or -

GET HTTP

FTP

Code:

nc -v 192.168.1.59 21

SSH

Code:

nc -v 192.168.1.59 22

MS-SQLServer

Code:

nc -v 192.168.1.59 1433

MySQL

Code:

nc -v 192.168.1.59 3306

And etc!

So my questions really is: Yes, you can use netcat to connect to every single port and get the banner of well known services. But what about other TCP ports with no obvious response without the proper prompt (like a web server)? We need to provide the service with some precise query parameters. So do you guys know about other data that could be send to a TCP port that doesn't an obvious reply?

Don't forget SMTP, IMAP, and POP with netcat. You can also use Nmap's ncat with the --ssl option to connect to ssl-based services (or use sslproxy with one of the netcat variants that don't support ssl).

Your best bet would be to perform a packet capture while establishing an legitimate connection to see what information is normally transmitted and then adjust that as necessary.

You could then use a packet crafting utilities, such as HPing, Scapy, PackEth, etc. (or hexedit and file2cable if you are feeling particularly l33t) to generate your custom packets.

Disclaimer: I don't have much hands-on experience with this, but I think that looks right in theory

Thanks for the hints. I heard about AMAP but I never used it. Last release is January 2006, so is it too old to detect recent services?!?

My goal wasn't so much about ruling out false positive. I was more looking at an easy way to look at one or to ports on a machine. My question really was "what to do" when you see a strange port open. The answer seems to be:

1) Start a network sniffer2) Connect to the service with telnet/netcat and see what happen3) Launch some tools like nmap scripts or AMAP